Address Resolution Protocol

Communication on a network requires both physical and logical addresses.

Physical Address – MAC Address

Logical Address – IP Address

The physical address facilitates communication on a single network segment for devices that are connected through a layer 2 device such as a switch.

Figure MAC Address & Logical Address

Let’s look at a scenario where you want to SSH in to PC B from PC A using PC B’s IPv4 address. Let’s also assume these hosts are Linux hosts in the same network segment connected through a switch. So, at the terminal you enter the command ssh ippacket@192.168.10.2.

At this point the only missing information is the layer 2 Data Link data containing the MAC address of PC B.

Ok why do we need a MAC address?

We need a MAC address because switches that interconnect devices use MAC addresses to make forwarding decisions not IP addresses. Switch maintains a list of MAC addresses it learns in a table called the Content Addressable Memory (CAM). When a packet arrives on the ingress interface, it examines the destination MAC address and looks up the CAM table to determine the egress interface.

If the destination MAC address is unknown to a transmitting device, it will first check its local cache for the MAC address. If it is not there, then the target IP must be resolved to the corresponding MAC address through additional communication.

In our scenario, PC A will first look at its local ARP cache to see whether it has the corresponding MAC address for PC B’s IPv4 address 192.168.10.2. Initially, PC A will not have this information.

This is where address resolution protocol (ARP) comes to the rescue. The address resolution protocol is used to dynamically map a logical IP address (Network Layer Address) to a physical MAC Address (Data Link Layer Address). ARP is defined in RFC 826.

The ARP resolution process is as follows

The transmitting computer sends out an ARP request saying my IP address is xx.xx.xx.xx and my MAC address is xx:xx:xx:xx:xx:xx. I need to send something to whoever has the IP address yy.yy.yy.yy but I don’t know it’s hardware address. Whoever has this IP address please reply back with your MAC address?

This request is broadcasted to everyone on the network segment.

Each TCP/IP host that receives this broadcast processes it and the packet is discarded by each host that does not own this IP address.

However, the TCP/IP host that owns the IP address yy.yy.yy.yy responds back saying hey you with IP address xx.xx.xx.xx and MAC address xx:xx:xx:xx:xx:xx, I am the person you are looking for. Here is my MAC address yy:yy:yy:yy:yy:yy.

Once this transmission is complete the transmitting device updates it’s ARP cache with MAC-to-IP address association and begin sending data.

The ARP Request

Figure The ARP Request

Let’s examine the packet capture of this process.

Figure Wireshark Capture of ARP Request

ff:ff:ff:ff:ff:ff this is the Ethernet Broadcast address. Anything sent to this destination address will be sent to all TCP/IP hosts on that segment.

This is the Source MAC address of this Ethernet frame, which is set to PC A’s MAC address.

The packet’s opcode is set to 1 which indicates an ARP request.

Inside the ARP request the Sender MAC address is set to PC A’s MAC address.

Inside the ARP request the Sender IP address is set to PC A’s IPv4 address.

Inside the ARP request the Target MAC address is unknown.

Inside the ARP request the Target IP address is set to PC B’s IPv4 address.

The ARP Response

Figure The ARP Response

Let’s examine the packet capture of the ARP response process.

Figure Wireshark Capture of ARP Reply

The Ethernet Destination MAC address is now set to PC A’s MAC Address.